Microsoft Announces Third Major Malware Disruption Since Cybercrime Center Launched

In a blog post on July 1, Microsoft announced the successful disruption of a serious strain of malware promoted and proliferated by No-IP.com. Two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, along with a U.S. company, Vitalwerks Internet Solutions, LLC were cited in a lawsuit filed on June 19, 2014. The lawsuit can be viewed in its entirety online HERE.

This marks the tenth overall malware disruption since the company started aggressively advancing on cybercrime in February 2010, and the third since the Microsoft Cybercrime Center launched in November 2013. The Cybercrime Center is a facility dedicated to monitoring, locating, and eliminating electronic crimes in an effort to protect Microsoft and its customers.

Mohamed and Naser leveraged social media to promote the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware. They offered detailed instructions to anyone on how to infiltrate the computers of unsuspecting victims causing millions of computers worldwide to become infected. Microsoft alone revealed more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months. This does not include detection from other anti-virus vendors.

Microsoft took the strong legal actions after the security community had lobbied complaints against No-IP for domain abuse with no resolution. The company continued to ignore the complaints despite being utilized in almost 93 percent of all Bladabindi-Jenxcus infections.

On June 26, 2014, the U.S. District Court of Nevada granted Microsoft authority over No-IP's 23 domains. Microsoft subsequently eliminated the threat by rerouting traffic to a "sinkhole" and developed malware cleaning techniques through reverse engineering.

Discuss this Article 3

What's scary to me is not only that there are nutball/mental cases like No-IP.com out there (probably just another loony terrorist site run by Satan, Esquire), but that there are people--Americans--who would actually go to these moronic sites and do what they are told like obedient little mindless robots--all in order to "feel a part of something larger" than themselves. Man, what puny lives these folks must live.

Good job, Microsoft! Keep it up. Best case: turn their own software (or something worse) loose inside their own site systems, hit 'em with perpetual DoS attacks, block the ip's, etc. That ought to keep these reprobates too busy to bother the rest of us, one hopes...;)

So many problems with how this was handled, and calling it a success can only be done by doing the Ostrich maneuver.

#1 No-IP.com WAS NOT THE SOURCE of said attacks. The perpetrators were using the service.

#2 No-IP WAS NEVER NOTIFIED that their service was being used for illegal activities. Someone please read their terms of service.

#3 Microsoft's own DNS service died horribly when they tried to take over the domains.

#4 The domains are owned by No-IP. How did Microsoft talk a court into letting them take control of another companies property (isn't the court supposed to appoint a 3rd party if it determines that property is being confiscated?)

Microsoft has actually admitted it screwed up. See http://www.noip.com/blog/2014/07/09/vitalwerks-microsoft-reach-settlement/

Sorry Mr. Trent, but this wasn't an example of Microsoft doing good, but doing evil. By naming No-IP in the lawsuit without notifying them about what was going on they made a horrible mistake. Then they went and made the mistake worse by thumb-fingering a dynamic DNS service.

If they had just shut down the servers being used to control the bot net, that would have been good.

I've covered this more recently, and you'll see that things have definitely changed since this article posted. To be clear, though, No-IP can't feign ignorance. They were notified of the problem from different areas (including security vendors) over the last year and they did nothing about it. I'm not defending how Microsoft went about it, only that something needed to be done. The methods used were definitely draconian and not well planned.

John Savill's Hyper-V Master Class

Join John Savill for 12 hours of comprehensive Hyper-V training. This master-level online training course will explore all the key aspects of a Hyper-V based virtualization environment covering both current capabilities in Windows Server 2012 R2 and looking at the future with Windows Server vNext.